The Oklahoma House Technology Committee unanimously recommended that the state’s legislature vote on House Bill 1602, aka the Oklahoma Computer Data Privacy Act (“OCDPA”), which if approved would require companies to obtain explicit permission to collect and sell personal data. The legislation has bipartisan support and is co-authored by more than 40 representatives and senators and is expected to pass when the bill comes to a vote.
Though there are similarities in the laws, there are two significant developments with the OCDPA. First, the legislation is one of the first “opt-in” data privacy bills in the country, meaning that companies will have to ask for consent prior to collecting personally identifiable information (“PII”), which includes information such as name, email address, phone number and IP address. In that sense, the OCDPA may look more like GDPR than CCPA; the latter of which is an “opt-out” jurisdiction. Second, the OCDPA has bright-line thresholds which should exempt some small businesses from compliance obligations, however these thresholds are lower than regulations such as CCPA, so a higher percentage of businesses collecting data from Oklahoma residents are likely to be in scope.
OCDPA would apply to any company that does business in Oklahoma that collects consumers’ personal information or has that information collected on the business’s behalf and satisfies one or more of the following thresholds:
As with CCPA, OCDPA is an “or” test, meaning that if your company exceeds any of these three brightline thresholds, you’re in scope.
OCDPA enumerates a number of rights for consumers, including:
OCDPA includes a provision for a private right of action, meaning that private citizens would be able to file a lawsuit or make a claim against an offending company and receive injunctive relief, actual damages and statutory damages up to $7,500 for intentional violations. Additionally, the Oklahoma Corporation Commission can enforce OCDPA against companies in the same manner as private citizens.
If passed, OCDPA would become effective on November 1, 2021, meaning that companies will need to get compliant quickly if the bill passes.
The proposed OCDPA would be yet another privacy law with which businesses need to comply, and the nuances of each law exclude the possibility for a one-size-fits-all solution. Implementing a flexible approach will be key to compliance efforts as additional laws around the country and globe continue to be implemented.
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.